CVE-2019-8231 – magento/core

Package

Manager: composer
Name: magento/core
Vulnerable Version: >=0 <1.9.4.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00188 pctl0.40905

Details

Magento Remote code execution through catalog attribute sets In Magento Open Source prior to 1.9.4.3, and Magento Commerce prior to 1.14.4.3, an authenticated user with administrative privileges for editing attribute sets can execute arbitrary code through custom layout modification.

Metadata

Created: 2022-05-24T17:00:30Z
Modified: 2024-01-10T21:37:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qpc8-m2xm-9w75/GHSA-qpc8-m2xm-9w75.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-qpc8-m2xm-9w75
Finding: F422
Auto approve: 1